10
minute read
Home   /   Blog   /   
What Is a Legal Hold and How Does It Work

Most disputes don’t become expensive because a claim is filed. They become expensive when key records cannot be found, systems keep deleting data, or no one acts quickly enough to safeguard evidence.

That is why a legal hold matters. Once litigation, a regulatory inquiry, or a serious internal investigation is reasonably anticipated, organisations may need to pause ordinary deletion practices and retain potentially relevant information. Done properly, this protects evidence, reduces risk, and helps legal teams respond with confidence. Done badly, it can create avoidable cost, sanctions, and credibility problems.

As Harry Boxall, CEO of Safelink, puts it: “A legal hold is not just a notice, it is a test of whether an organisation can control its own information when it matters most.”

For in-house counsel, law firms, compliance leaders, and IT teams, understanding the preservation duty behind a legal hold is now part of modern risk management.

What Is a Legal Hold

A legal hold is a formal instruction to preserve documents, emails, messages and other records that may be relevant to a legal matter, investigation or regulatory inquiry. Its purpose is simple: stop potentially important evidence from being deleted, altered or lost when a dispute or investigation is on the horizon.

In practice, this means pausing normal deletion processes for information that could become relevant. When connected to court proceedings or anticipated claims, the same process is often referred to as a litigation hold. Similar preservation measures are also used during regulatory investigations and internal misconduct reviews.

The records involved might include emails and attachments, Teams or Slack messages, shared drive files, HR records, finance documents, mobile communications, CCTV footage or call recordings. The exact scope depends on the matter and where relevant information is likely to exist.

A legal hold does not mean keeping everything forever. It means preserving the right information at the right time in a way that can be defended if questions are asked later.

This is where many organisations run into difficulty. Understanding the concept is one thing. Identifying the right custodians, securing the right systems and proving that preservation steps were actually followed is something else entirely. A legal hold notice on its own does not guarantee compliance.

When is a Legal Hold Is Required

The duty to issue a legal hold usually arises when litigation is active, threatened, or foreseeable. It can also arise during a regulatory investigation data hold scenario, internal misconduct review, or data breach response.

Common triggers include receiving a letter before action, an employment dispute that moves beyond internal procedures, or a contract breakdown followed by legal threats. A legal hold may also be needed after whistleblowing allegations, regulator enquiries, fraud or bribery concerns, or a serious accident where claims are likely to follow. In many cases, the duty to retain records begins before formal proceedings do.

The key issue is not whether proceedings have started. It is whether a reasonable organisation should anticipate that documents or data may soon be needed.

That is why waiting until proceedings begin can be too late. It’s crucial that automatic deletion policies be suspended as soon as a dispute arises, and relevant electronic records retained. Once a hold is in place, the next challenge is often working out what information exists, where it sits and what is actually relevant, which is where eDiscovery comes in. 

Strong legal hold compliance requirements depend on recognising the trigger early and acting quickly.

How a Legal Hold Works Step by Step

Teams will likely know the term "legal hold," but fewer have a repeatable process. Good execution relies on clear legal hold process steps.

1. Identify the trigger

Legal or compliance teams assess the dispute, complaint, or investigation and determine whether preservation duties have arisen.

2. Define scope

Relevant custodians, date ranges, business units, systems, and record types are identified. This is where how to implement a legal hold becomes strategic. Too narrow, and evidence is missed. Too broad, and business disruption grows.

3. Issue the legal hold notice

A formal legal hold notice is sent to relevant custodians. This begins the custodian notification process and should be acknowledged, not ignored in inboxes.

4. Suspend deletion routines

This may involve document retention suspension, mailbox holds, cloud storage retention changes, and pausing auto-delete settings. Proper litigation hold data preservation requires coordination with IT.

5. Secure data sources

Relevant emails, files, chats, mobile content, and records are secured. This may involve in place hold vs litigation hold decisions. In some cases, data remains in the live system; in others, it is locked down more tightly.

6. Monitor and document

The best programmes maintain a legal hold audit trail, showing who was notified, what systems were secured, reminders sent, and decisions made.

7. Release the hold

Once the matter concludes and counsel confirms preservation is no longer needed, normal retention rules can resume.

These legal hold process steps form the backbone of a defensible ediscovery legal hold workflow.

What a Legal Hold Notice Must Include

A weak legal hold notice creates confusion. A well-drafted one creates action.

At minimum, a legal hold notice should identify the matter, the custodians or teams affected, the categories of records to retain, and the relevant time period. It should also specify which systems or devices are in scope, what routine deletion or editing must stop immediately, who owns follow-up queries, and that obligations remain in force until a formal release is issued.

The best notices use plain language. They explain preservation obligations in real terms, not vague legal jargon.

Be specific about what must be retained

One of the most common mistakes is assuming employees know what "relevant information" means. In practice, different people interpret that instruction differently.

For example, saying "preserve all relevant communications" leaves room for uncertainty. Does that include Teams chats? WhatsApp messages used for work? Draft documents? Personal devices used for business communications? Shared drive folders?

A stronger notice removes that ambiguity. Instructions such as "do not delete emails, Teams chats, WhatsApp messages used for work, drafts, notes, or files relating to Project Orion from January onwards" are far more likely to achieve consistent compliance across the organisation.

The more specific the guidance, the less likely important evidence will be overlooked.

Make responsibilities clear

A legal hold notice should not simply tell people what to preserve. It should also make clear who is responsible for taking action.

Legal teams may own the hold itself, but IT often needs to suspend retention policies, secure accounts or preserve data sources. Managers may need to identify additional custodians. Individual employees may need to stop deleting records or moving files.

Without clear ownership, organisations can end up assuming someone else has handled the task. Many legal hold failures stem not from bad intent, but from uncertainty about responsibility.

A good notice should explain what action is required, who must take it, and where questions should be directed.

Create a record of compliance

Issuing a notice is only part of the process. Organisations should also be able to demonstrate that it was received, understood and acted upon.

This is where the legal hold documentation process becomes important. Organisations should maintain records of who received the notice, who acknowledged it, what reminders were sent, and what preservation actions were taken. If the scope of the matter changes, updates should also be documented.

If questions arise later about missing records or preservation failures, the ability to show a clear audit trail can be just as important as the original notice itself.

A defensible legal hold is not simply about sending an email. It is about being able to demonstrate that reasonable steps were taken to preserve relevant information throughout the life of the matter.

Types of Legal Holds and How They Differ

Not every legal hold looks the same. As Harry Boxall says, “The strongest hold processes are shaped by risk and facts, not by templates.” A regulatory inquiry, employment dispute, and fraud investigation may all require data retention, but not in the same way.

Type of legal hold Typical trigger Primary focus
Litigation hold Actual or anticipated litigation Preserve evidence relevant to claims, disclosure, witness evidence and settlement discussions
Regulatory hold Regulatory enquiries, audits or inspections Retain records required to demonstrate compliance, governance and decision-making
Internal investigation hold Fraud, misconduct, whistleblowing or HR matters Secure facts and evidence while an organisation investigates what happened
In-place hold Need to preserve data within live systems Retain information without significantly disrupting day-to-day operations
Enterprise legal hold management Multiple matters across departments or jurisdictions Coordinate, track and manage preservation obligations at scale

Litigation hold

Used where disputes or claims are active or reasonably anticipated. This is the classic court-focused model, designed to protect records that may become relevant to pleadings, disclosure, witness evidence, or settlement strategy. Typical sources include emails, contract files, internal messaging, decision logs, and communications between key custodians. Timing matters because by the time formal proceedings begin, relevant data may already be at risk.

Regulatory hold

Triggered by regulator enquiries, audits, inspections, or sector investigations. Scope often extends beyond core documents to include governance records, approvals, reporting trails, internal communications, policies, training records, and evidence of decision-making. Regulatory matters can move quickly and may require broader retention across multiple teams than a standard litigation hold.

Internal investigation hold

Used during misconduct, harassment, fraud, ethics, whistleblowing, or serious HR matters, often before litigation has begun. The purpose is to secure facts while an organisation establishes what happened and decides next steps. These holds can later evolve into litigation or regulatory matters, which is why early discipline around evidence handling is important.

In-place hold vs litigation hold

The in place hold vs litigation hold distinction matters operationally. An in-place hold safeguards data within the live source system while users continue working, often making it less disruptive in the short term. A stricter litigation hold may involve collecting data into a secure review environment, restricting deletion rights, or limiting access where there is concern about alteration, confidentiality, or evidential integrity. The right choice depends on systems capability, risk, and urgency.

Enterprise legal hold management

Large organisations often run multiple holds simultaneously across departments, jurisdictions, custodians, and matters. That creates complexity around overlapping notices, changing staff, different retention schedules, and inconsistent systems. Effective enterprise legal hold management usually depends on central governance, clear ownership, automated tracking, and technology that can scale without losing visibility.

The right model depends on risk, urgency, systems architecture, regulatory exposure, and the level of business disruption an organisation can reasonably absorb.

What Happens If a Legal Hold Is Not Followed

Failure to follow a legal hold can be expensive long before any sanction is imposed. Once relevant material is lost, an organisation may face missing evidence, adverse inferences, higher disclosure costs, regulator criticism, financial penalties, reputational damage, and a weaker negotiating position in settlement discussions. In serious cases, courts may conclude that missing records would have been unfavourable to the party that failed to retain them.

At the centre of this sits spoliation of evidence risk, where documents or data are destroyed, altered, or lost after preservation duties have arisen. Courts and regulators often focus less on whether the loss was deliberate and more on whether reasonable steps were taken once the risk was known.

Real-world failures are usually ordinary operational breakdowns. Mailboxes continue auto-deleting after 30 days, exiting employees are offboarded before accounts are secured, Teams or Slack messages disappear under retention settings, shared folders are overwritten, or key custodians were never included in the original hold notice. What looks minor internally can become highly significant once disclosure begins.

Well-known cases illustrate the point. In Zubulake v. UBS Warburg, deleted emails became a landmark example of failed preservation obligations. In Klipsch Group v. ePRO E-Commerce, the court found wilful spoliation after files were deleted and wiping software was used. UK courts have also shown little sympathy where relevant material is deliberately destroyed or carelessly lost once preservation duties are in play.

That is why compliance risk legal hold issues are rarely caused by bad intent alone. More often, they stem from weak ownership, fragmented systems, poor communication between Legal and IT, or the absence of a defensible legal hold documentation process. If the explanation later becomes, “we thought IT handled it,” the organisation is already on the back foot.

How Safelink Supports Legal Hold Workflows

Safelink helps organisations manage the practical side of evidence control, defensibility, and review once a legal hold is in motion.

Using secure workspaces such as Lexiti, teams can strengthen their ediscovery legal hold workflow by centralising in-scope material, controlling access permissions, searching evidence sets, building chronologies, collaborating across matters, and maintaining clearer reporting for counsel or regulators.

This supports stronger litigation hold data preservation and clearer governance when matters become complex.

Harry Boxall explains it well: “The biggest risk is often not the dispute itself. It is not knowing where your evidence is, who touched it, or whether it can be trusted.”

For organisations managing growing data volumes, hybrid working, and multiple communication channels, a robust legal data governance policy supported by the right technology is increasingly essential.

Build a Legal Hold Process You Can Defend

A defensible legal hold depends on early action, securing the right information quickly, accountable ownership, and evidence of the steps taken if those decisions are later challenged. That means well-drafted notices, coordination between Legal, IT, Compliance, and Records teams, suspended deletion processes where needed, secure handling of in-scope data, and a reliable audit trail from start to release.

For many organisations, the gap is not policy, it is execution. Data sits across email, cloud storage, chat platforms, mobile devices, and shared systems, while responsibilities are spread across multiple teams. Without a controlled workflow, small delays can become expensive problems.

Safelink helps legal and compliance teams bring order to that process through secure evidence management, searchable matter data, permission-based access, chronology tools, and defensible reporting. If your team is reviewing current readiness, handling a live matter, or strengthening future response capability, explore Safelink’s Lexiti to see for yourself how a stronger preservation workflow can reduce risk.

Power your casework with a free Lexiti workspace
Lexiti brings eDiscovery, chronology building, bundle preparation and AI assistance into workspace.
Learn more

Frequently Asked Questions

Power your casework with a free Lexiti workspace

Lexiti brings eDiscovery, chronology building, bundle preparation and AI assistance into workspace.
View plans